diff --git a/examples/clusterscoped/deny-external-network-access.yaml b/examples/clusterscoped/deny-external-network-access.yaml
new file mode 100644
index 00000000..ca73cf5a
--- /dev/null
+++ b/examples/clusterscoped/deny-external-network-access.yaml
@@ -0,0 +1,26 @@
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: SecurityIntent
+metadata:
+  name: deny-ext-nw-access
+spec: 
+  intent:
+    id: denyExternalNetworkAccess
+    description: "Deny external network access to prevent data exfiltration"
+    action: Block
+
+---
+
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: ClusterSecurityIntentBinding
+metadata:
+  name: deny-ext-nw-access-foo-binding
+spec:
+  intents:
+    - name: deny-ext-nw-access
+  selector:
+    nsSelector:
+      matchNames:
+        - prod
+    workloadSelector:
+      matchLabels:
+        app: foo
\ No newline at end of file
diff --git a/pkg/adapter/idpool/idpool.go b/pkg/adapter/idpool/idpool.go
index aed2dfe4..011e9d28 100644
--- a/pkg/adapter/idpool/idpool.go
+++ b/pkg/adapter/idpool/idpool.go
@@ -17,6 +17,7 @@ const (
 	DisallowCapabilities      = "disallowCapabilities"
 	ExploitPFA                = "preventExecutionFromTempOrLogsFolders"
 	EnsureTLS                 = "ensureTLS"
+	DenyENAccess              = "denyExternalNetworkAccess"
 )
 
 // KaIds are IDs supported by KubeArmor.
@@ -36,6 +37,7 @@ var KaIDPolicies = map[string][]string{
 // NetPolIDs are IDs supported by Network Policy adapter.
 var NetPolIDs = []string{
 	DNSManipulation,
+	DenyENAccess,
 }
 
 // KyvIds are IDs supported by Kyverno.
diff --git a/pkg/adapter/nimbus-netpol/manager/netpols_manager.go b/pkg/adapter/nimbus-netpol/manager/netpols_manager.go
index 1c854421..78d52864 100644
--- a/pkg/adapter/nimbus-netpol/manager/netpols_manager.go
+++ b/pkg/adapter/nimbus-netpol/manager/netpols_manager.go
@@ -98,7 +98,7 @@ func createOrUpdateNetworkPolicy(ctx context.Context, npName, npNamespace string
 		return
 	}
 
-	if adapterutil.IsOrphan(np.GetOwnerReferences(), "SecurityIntentBinding") {
+	if adapterutil.IsOrphan(np.GetOwnerReferences(), "SecurityIntentBinding", "ClusterSecurityIntentBinding") {
 		logger.V(4).Info("Ignoring orphan NimbusPolicy", "NimbusPolicy.Name", npName, "NimbusPolicy.Namespace", npNamespace)
 		return
 	}
diff --git a/pkg/adapter/nimbus-netpol/processor/netpol_builder.go b/pkg/adapter/nimbus-netpol/processor/netpol_builder.go
index 5132841c..aabdcebc 100644
--- a/pkg/adapter/nimbus-netpol/processor/netpol_builder.go
+++ b/pkg/adapter/nimbus-netpol/processor/netpol_builder.go
@@ -21,6 +21,7 @@ func BuildNetPolsFrom(logger logr.Logger, np v1alpha1.NimbusPolicy) []netv1.Netw
 	var netpols []netv1.NetworkPolicy
 	for _, nimbusRule := range np.Spec.NimbusRules {
 		id := nimbusRule.ID
+		logger.Info(id)
 		if idpool.IsIdSupportedBy(id, "netpol") {
 			netpol := buildNetPolFor(id)
 			netpol.Name = np.Name + "-" + strings.ToLower(id)
@@ -40,11 +41,96 @@ func buildNetPolFor(id string) netv1.NetworkPolicy {
 	switch id {
 	case idpool.DNSManipulation:
 		return dnsManipulationNetpol()
+	case idpool.DenyENAccess:
+		return denyExternalNetworkAcessNetpol()
 	default:
 		return netv1.NetworkPolicy{}
 	}
 }
 
+func denyExternalNetworkAcessNetpol() netv1.NetworkPolicy {
+	udpProtocol := corev1.ProtocolUDP
+	tcpProtocol := corev1.ProtocolTCP
+	dnsPort := &intstr.IntOrString{
+		Type:   0,
+		IntVal: 53,
+	}
+
+	return netv1.NetworkPolicy{
+		Spec: netv1.NetworkPolicySpec{
+			Ingress: []netv1.NetworkPolicyIngressRule{
+				{
+					From: []netv1.NetworkPolicyPeer{
+						{
+							IPBlock: &netv1.IPBlock{
+								CIDR: "10.0.0.0/8",
+							},
+						},
+						{
+							IPBlock: &netv1.IPBlock{
+								CIDR: "172.16.0.0/12",
+							},
+						},
+						{
+							IPBlock: &netv1.IPBlock{
+								CIDR: "192.168.0.0/16",
+							},
+						},
+					},
+				},
+			},
+			Egress: []netv1.NetworkPolicyEgressRule{
+				{
+					To: []netv1.NetworkPolicyPeer{
+						{
+							PodSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"k8s-app": "kube-dns",
+								},
+							},
+							NamespaceSelector: &metav1.LabelSelector{
+								MatchLabels: map[string]string{
+									"kubernetes.io/metadata.name": "kube-system",
+								},
+							},
+						},
+
+						{
+							IPBlock: &netv1.IPBlock{
+								CIDR: "10.0.0.0/8",
+							},
+						},
+						{
+							IPBlock: &netv1.IPBlock{
+								CIDR: "172.16.0.0/12",
+							},
+						},
+						{
+							IPBlock: &netv1.IPBlock{
+								CIDR: "192.168.0.0/16",
+							},
+						},
+					},
+					Ports: []netv1.NetworkPolicyPort{
+						{
+							Protocol: &udpProtocol,
+							Port:     dnsPort,
+						},
+						{
+							Protocol: &tcpProtocol,
+							Port:     dnsPort,
+						},
+					},
+				},
+			},
+			PolicyTypes: []netv1.PolicyType{
+				netv1.PolicyTypeEgress,
+				netv1.PolicyTypeIngress,
+			},
+		},
+	}
+}
+
 func dnsManipulationNetpol() netv1.NetworkPolicy {
 	udpProtocol := corev1.ProtocolUDP
 	tcpProtocol := corev1.ProtocolTCP